Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

MojoKid writes "Tens of thousands of Twitter accounts have been compromised in a recent hack attack in which more than 55,000 passwords were leaked and posted to Pastebin by anonymous hackers. Most of the accounts supposedly belonged to spammers, and there were many duplicate entries, Twitter officials pointed out. However, to play it safe, you should probably change your Twitter password ASAP."

After Lamo and others found that at least some of the alleged account data had been posted on the Web last year and speculated that the list appeared to be compiled from various sources, including spam accounts, Twitter provided CNET this statement when asked for comment: "We've looked into this and can confirm that Twitter was not compromised. For extra precaution, yesterday, we pushed out password resets to accounts that may have been affected."

I don't know why anyone would ever talk to this guy again for the rest of his life.

I'd talk to him. He reported an Intelligence officer with access to sensitive information who was planning on leaking it because he was pissed off about the military's policy towards homosexuals. If you bother to read the conversations it's pretty fucking obvious that Manning had an axe to grind, went into the systems and dug up any and all information he thought might make the military look bad, and then leaked it. After the fact, he tried to claim that he was "blowing the whistle" on supposed war crimes w

There is no evidence Twitter themselves were "hacked".This is likely the password file from a spambot c&c network.

All* the twitter accounts shown follow the same naming and password rules. This is not typical of how a random selection of users would set up their account.In addition all/most of these accounts are or were suspended (typically this is for spam).

* I may have missed one, but given several others point out the same...

Well, looks like people have a list of 55,000 strong passwords to choose from now.

People who have memorization issues should start with perhaps a weaker password, then make it longer over time. I don't think password aging is a good idea as people will just choose weak passwords slightly modifying them each time.

A six digit, easy-to-read captcha seems like it should be easy for spammers to crack. Maybe twitter should require account verification using a mobile phone number? With no more than one account cre

Well managed sites do not store your password. They store an encryption HASH of your password. When you type in your password, they use the same routine to HASH what you type in and compare the hashes. You cannot go backward from a hash to a password (well, not a modern hash, and not with a password that isn't a simple common word). There is no excuse for a web site to actually have a stored copy of your actual password anywhere in their systems.

If only the world was so simple. Passwords sometimes need to be stored un-hashed. For example, your ISP may have your password unhashed or stored in a reversable encryption to facilitate secureish un-encrypted authentication such as CHAP.

And even if said well managed site stores salted hashes, it is often trivial for someone with access to a compromised server to log the username/password pairs before the salted hash is compared... and sure the client can send a salted hash which is salted based off a chall

Absolutely. Sure, if you want to follow a random selection of users then you're just going to get lots of updates on what people are having for lunch, but the trick is to follow people you find interesting. I mostly follow people involved in physics, maths, science writing and a few other topics I'm interested in. It's essentially a news feed if you get it right, I first heard about CERN's "super-luminal neutrinos" through Twitter.

Yes, there's a lot of noise (just try reading the "raw" feed if you want

It's a great way to catch breaking news if you don't sit in front of a TV all day. Yesterday would be a prime example, glancing down at my phone on an afternoon smoke break to find out the president had announced his support of same-sex marriage. It was a good hour or so before that had made its way through the major news sources. You can find accounts for everything from local news, to your state-level organizations and agencies, to specific committees in congress or the house.

If you look at the logins [airdemon.net] there is a mix of usernames and email addresses. Since Twitter lets you login using either your twitter handle or email address, it looks as if these were somehow keylogged or otherwise hijacked, as opposed to Twitter being hacked.